Cryptography Reference
In-Depth Information
Because the default of this optional value is false, for all intents and purposes
if it's present then the extension is critical.
What differentiates a critical from a non-critical extension? According to
the specifi cation, if an implementation does not recognize an extension that
is marked critical, it should reject the whole certifi cate. Otherwise, the exten-
sion can be safely ignored. Note that the implementation presented here is not
compliant, for this reason.
How the data fi eld is interpreted depends on the OID. It's always declared
as an OCTET STRING ; for all defi ned extensions, this is an string of bytes whose
contents must in turn be parsed as an ASN.1 DER-encoded structure (the X.509
people clearly weren't really aiming for optimal effi ciency).
This topic doesn't have enough space to cover all, or even most, X.509 exten-
sions. One worth examining is the key usage extension, though. If the OID
is 2.5.29.15 then the extension describes key usage, and the fi nal fi eld is a bit
fi eld. The bits are interpreted in big-endian order, and the most important
is bit 5. If bit 5 is set then the certifi cate is a CA and can legitimately sign
other certifi cates. Presumably, the signing CA checked that this was truly
the case before signing the certifi cate. Processing the key usage bit is shown
in Listing 5-22.
Listing 5-22: “x509.c” parse_extension with key usage recognition
static const unsigned char OID_keyUsage[] = { 0x55, 0x1D, 0x0F };
#define BIT_CERT_SIGNER 5
...
}
if ( !memcmp( oid->data, OID_keyUsage, oid->length ) )
{
struct asn1struct key_usage_bit_string;
asn1parse( data->data, data->length, &key_usage_bit_string );
if ( asn1_get_bit( key_usage_bit_string.length,
key_usage_bit_string.data,
BIT_CERT_SIGNER ) )
{
certificate->certificate_authority = 1;
}
asn1free( &key_usage_bit_string );
}
// TODO recognize and parse other extensions - there are several
As you can see, the data node is itself another ASN.1-encoded structure, which
must be parsed when the key usage OID is encountered. In the case of key usage,
the contents of this ASN.1 structure are a single-bit string. Bit strings can be a
tad complex because they're permitted by ASN.1 to be of arbitrary length. The
fi rst byte of the data fi eld is the number of padding bits that were added to pad
up to an eight-bit boundary. Implement a handling function as shown in Listing
5-23 to retrieve the value of a single bit from an ASN.1 bit string.
 
Search WWH ::




Custom Search